Generation of service agreements for the use of network internal functions in telecommnication networks

ABSTRACT

Network internal functions of a telecommunication network can be access from an external site (Se), for example, a server, for the running of external services for network users (Mo), whereby the access is achieved by means of a secure service interface device (S 2 ) on a network (“access network”) on the basis of a service agreement, valid for said service interface, in the favour of the external site (Se). According to the invention, in order to achieve access to functions in an other network (target network), as a result of a request ( 3 ) for a network internal function, sent to the interface device (S 2 ) from the external site (Se), said interface checks for whether the request comprises the use of a function of the target network. Where the above is the case, a service agreement ( 4 ) (transitive agreement) is concluded between the interface device (S 2 ) and a secure service interface device (S 1 ) of B the target network. The request ( 5 ) is further transmitted and processed by means of the interface devices (S 1 ,S 2 ) on the basis of said transitive agreement.

CLAIM FOR PRIORITY

This application is a national stage of PCT/DE2003/001941, published inthe German language on Feb. 26, 2004, which claims the benefit ofpriority to German Application No. 102 31 972.3, filed on Jul. 15, 2002.

TECHNICAL FIELD OF THE INVENTION

The invention relates to a method for accessing network-internalfunctions in telecommunication networks from an external site.

BACKGROUND OF THE INVENTION

In modern mobile radio networks, e.g. the known UMTS system, externalproviders are able to offer network users services via the mobile radionetwork, such as local information services (e.g. request for nearestgas station), messaging services (e.g. chat rooms), games, etc. Externalproviders here are understood to be devices or enterprises which do notthemselves operate or maintain a communication network or support anetwork operator in the tasks required to operate a network. Theservices they offer are hereafter referred to as external services orthird-party services.

An external service is often operated via a secure service accessinterface SSAI of the relevant network. Use of such a service accessinterface is based on a service level agreement SLA between the providerand the network operator. Naturally the number of service levelagreements that an external provider concludes with networks is limitedand a provider will generally only offer a service level agreement withnetworks in the catchment area (usually a country or state) of which theprovider or its devices implementing the service is located. It cantherefore happen that a user located in the catchment area of anothernetwork (visited network) instead of in their own network and wishing touse an external service available in the visited network is denied theuse of the service, because the service requires access to user-relateddata and this is not possible because no adequate agreement existsbetween the service provider and the home network. Such a situationresults in particular because the home network of the user does not havean agreement with said network (access network) for the provider toprovide its external service.

For the mobile radio network services most frequently used at present(so-called legacy services) the problem of limited use options does notexist, as the legacy services represent standard services provideddirectly by the networks. The mobility of such services is guaranteed atnetwork level by the mobility mechanisms inherent in the mobilenetworks.

SUMMARY OF THE INVENTION

The invention relates to a method for accessing network-internalfunctions in telecommunication networks from an external site, withaccess being achieved via a secured service interface device of anetwork on the basis of a service agreement in favor of the externalsite and valid for the service interface.

One embodiment of the invention discloses use of network-internalservice functions, in particular for access to user-related data, byexternal services even when the service functions are requested via adifferent network.

In another embodiment according to the invention, there is a method inwhich it is verified on the part of the secure service interface device(SSAI) on the basis of a request sent to it from the external site,whether the request involves the use of a function of another network(target network) and if so, a second request relating to the functionsof this network is then exchanged between the interface devices on thebasis of a service level agreement concluded between the interfacedevice and a secure service interface device of the target network(transitive agreement).

In one aspect of the invention, the target network corresponds to thehome network of the user using the service, so that access takes placein the context of a service, which is executed by the external site fora user, the home network of which is the target network. The inventionhereby permits the use of user-related data in a simple manner, withoutundue infringement of data protection interests.

The transitive agreement can already exist; in other words it can havebeen concluded before the start of the service. Alternatively thetransitive agreement can be concluded with a second network in eachinstance on the basis of the first request relating to the network, withthe agreement being valid for the duration of the service or continuingthereafter at the discretion of the operator.

As a basis for the transitive agreement, it is generally a requirementthat there is a valid service level agreement between the serviceprovider and the access network and similarly a service level agreement(for example together with a roaming agreement) exists between theaccess network and the target network—in other words generally the homenetwork of the user using the service. In such a case it is expedientfor the transitive agreement to be generated as a service levelagreement in favor of the external site, in so far as there is a roamingagreement between the networks operating as mobile radio networks and aservice level agreement on the part of the access network in favor ofthe external site.

As stated above, the external site can be a server for external serviceswhich are executed using network-internal services in the area of theaccess network (or a visited network available via the access network)for users that are connected or logged in.

It is also advantageous if messages exchanged between the external siteand the target network further to the second request are transmitted viathe interface devices, with the interface device of the access networktransparently forwarding messages exchanged between the external siteand the interface device of the target network. If the messages furtherto the second request are exchanged between the external site andnetwork centers of the target network, the messages can be transmittedvia the interface device of the access network such that the interfacedevice forwards the messages as a transparent proxy server.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention is described in more detail below with reference toexemplary embodiments. The drawings are referenced for this purpose, inwhich:

FIG. 1 shows the networks and network components involved in theexemplary embodiment.

FIG. 2 shows a flow diagram of the signals for the initiation of anexternal service.

It should be noted here that only the components and devices necessaryto illustrate the invention are shown in the Figures. Other devices, inparticular switching units and connection elements, are obvious to theperson skilled in the art and are therefore not shown.

DETAILED DESCRIPTION OF THE INVENTION

As shown in FIG. 1, the user of a mobile telephone Mo is located as amobile user in the catchment area of a mobile radio network N2, which isfor example set up in the known manner for example as a UMTS network andis connected in the known manner via a gateway Gw to the home network N1of the user Mo. The network N2 therefore serves the user Mo as a visitednetwork, to which the user is connected via the base station of a mobileswitching center Ms, which also manages user-related data in a temporarymanner in the form of a visitor register. A home register H1, alsoreferred to as a home location register HLR, is provided in the homenetwork N1 for the storage of significant user data, in particularpermanent and quasi-permanent data, such as call number, device type,subscribed services, etc. and temporary data such as current location.

An external service provider provides a service, for example andinformation service, by means of a server device Se connected to themobile radio network N2, the service operating as an application programon the server and being provided via a WAP page. When executed, theservice accesses the services of the network N2, e.g. for chargingpurposes. A secure service interface device S2 is set up in the networkN2 as a network device for access to network-internal services of thenetwork N2 by external providers and a secure service interface deviceS1 is set up similarly in the network N1 with particular responsibilityfor providers (not shown) connected there.

The network N2 therefore operates as an access network for externalservices provided from the server Se.

A secure service interface device—hereafter abbreviated to SSAI—of anetwork is an electronic interface, which is established on the basis ofexisting standards or other regulations and allows services of externalproviders in a position of trust to access network-internal functions,e.g. call control, charge functions and user profile requests. Oneexample of an SSAI is the so-called OSA (open service access) interface,which is defined by the 3GPP in the standard TS 22.127. More detailedinformation about the 3GPP consortium and assigned standards isavailable on the internet at: http://www.3gpp.org.

A service level agreement should exist for an external provider to beauthorized to utilize access in respect of an SSAI. Such a service levelagreement—hereafter abbreviated to SLA—provides the basis for accessauthorization and authentication of the service or the server executingthe service. An SLA is generally based on a contract between theexternal provider and the operator of the SSAI or the relevant networkand is stored on the SSAI in electronic form, e.g. in a specific file oras an entry in a database. If a network operator—e.g. the operator ofthe network N2—permits the provider of an external service to accessnetwork functions (set out in the relevant contract) via the SSAI—in theexample the SSAI S2—the SSAI is set up such that the service server Seof the provider is authorized for such access after correspondingauthentication. Authentication of the service or server Se can beeffected electronically, e.g. by transmitting one or a plurality of SLAcertificates to the SSAI S2, with a suitable protocol for the servicerequest—in the example the OSI-API according to 3GPP TS 29.198—beingused for the exchange of messages between the server Se and the SSAI S2.

The service functions are generally accessed within a session which isinitiated between the sites involved (in this instance the sites Se,S2), e.g. for the duration of execution of the service. At the start ofthe session a so-called electronic SLA is set up, which is valid forsaid session, by the above-mentioned authentication by means of SLAcertificate(s).

It should be noted that for UMTS networks (such as the networks N1, N2in the exemplary embodiment) the SSAI devices are set up as OSAgateways. There is currently no communication between the OSA gatewaysS1, S2 of different UMTS network N1, N2 to allow an exchange of SLAcertificates. According to the invention, this shortcoming is eliminatedin that a “transitive” electronic SLA is set up between the SSAI sitesand further dialog takes place between the sites in the nature of thedialog between an SSAI and an external server. This is described in moredetail below.

The signal flow diagram in FIG. 2 shows the messages which are exchangedto initiate a service between the service server Se, the user Mo and thenetwork stations S1, S2. In FIG. 2, the vertical axis represents time(downwards) and the individual network centers are symbolized asvertical lines.

When the user Mo requests an external service from the provider, saiduser sends a request 1 of the known type via the visited network N2, inwhich the user is located, to the server Se. This request can be made indifferent ways, for example in the form of a telephone call via aservice number assigned to the server Se, via access to an internet siteor a WAP site, etc. The relevant external service is then implemented onthe part of the server Se for the user Mo, with the option of a dialog11 with the user.

As stated above, it is often the case that the service also requiresaccess to functions of the home network of the user—or another targetnetwork, which is not the access network—e.g. charging, perhaps to payfor special services. If no SLA exists between the home network N1 andthe service provider or the latter's server Se, according to theinvention functions are accessed on the basis of an existing SLA betweenthe provider/server Se and the access network N2 and an access optionbetween the networks (in this instance the target network N1 and theaccess network N2) in the form of “transitive SLAs” as described in moredetail below.

In the case of the exemplary embodiment the visited network and theaccess network N2 are the same. Generally, as indicated in FIG. 1 by thebroken line of the network N3, these can be different, withcommunication between the server Se (connected via the access networkN2) and the user Mo in the visited network N3, which then serves as atransport network, taking place in the known manner. In a furtherconstellation the user could be located in the target network—i.e. thevisited network N3 and target network N1 are identical—and use anexternal service, access to which is effected via a different accessnetwork N2. Irrespective of these specific constellations, the processesof significance to the invention operate between the server Se and thedevices of its access network N2 and the devices of the target networkN1.

Instead of the server Se communicating with the SSAI S1 of the homenetwork N1 of the user Mo—which is of course not possible without an SLAbetween said sites—according to the invention network-internal servicesare accessed via the SSAI S2 of the access network N2, where there is anSLA as required.

To use network services a session is set up between the server Se andthe SSAI S2. First the server Se sends an SLA certificate 2 to theaccess network SSAI S2 to set up an electronic SLA, which serves as thebasis of authentication for the session; this SLA is primarily onlyvalid for the session between the server Se and the SSAI S2 in thenetwork N2. A request 3 is then sent for a network service function,e.g. for the charging of a specific amount, with said request generallycontaining further data, in particular the ID of the user Mo (e.g. saiduser's IMSI or TMSI) and if required the identity of the target networkN1.

The request 3 is received and evaluated on the part of the accessnetwork SSAI S2. It is thereby identified that the request requiresnetwork services of another target network, in this instance the homenetwork N1. According to the invention therefore in the next step a“transitive SLA” is set up with the SSAI S1 of the target network by theSSAI S2 sending an SLA certificate 4 to the SSAI S1 of the targetnetwork N1.

A session is thereby initiated between the SSAI sites S1, S2, which,together with the session between the SSAI S2 and the server Se in theaccess network N2, according to the invention generally allowscommunication between the server Se and the target network SSAI S1. Forthis to take place, the access network SSAI S2 is set up such that—inaddition to its known function as a server for SSAI transactions—it cansend requests as a client to another SSAI and receive correspondingserver responses from there. Advantageously, the same protocol is usedfor this as is used between the SSAI S2 and the external server Se, e.g.the OSA API referred to above.

The target network SSAI S1 is also expediently set up so that a servicerequest and an SLA can be requested from an SSAI S2 of another network,with which for example a roaming agreement exists; this access optiontherefore exists in addition to those of the external providers (notshown), for which an SLA exists with the SSAI S1 and in an essentiallyequivalent manner thereto. Such access can be set up in the same way asfor an external provider, generally by corresponding configuration oradministration of the settings of the SSAI S1, based for example on aroaming agreement or another agreement between the operators of thenetworks involved N1, N2.

Once the transitive SLA has been set up between the SSAI sites S1, S2,requests 5 can be sent to the SSAI S1, which the latter forwards asrequired as a function of the respective request to other networkstations of the target network. The SSAI S2 hereby forwards the messagesexchanged between the terminal sites S1, Se in a transparent manner. Theaccess network SSAI S2 hereby receives requests from the server Se andforwards them in the dialog held with the SSAI S1 to the latter;responses from the SSAI S1 are in turn routed back to the server Se.

In the instance considered here, namely charging, the request is sent tothe home register N1 of the home network N1. For further messagesexchanged between the server Se and the target network N1, e.g. thecharging confirmation 6 of the home register H1, the SSAI devices S1, S2serve as transparent proxy stations, via which the relevant messages andresponses are forwarded.

In the process described above, the transitive SLA is concluded for theduration of a session and therefore only covers the transactionassociated with the service request. A new transitive SLA is thereforebe concluded in the event of another, in particular a later or for someother reason separate service request or transaction. However, in avariation, the transitive SLA can be set up permanently so that step 4of FIG. 2 would not be required for further service requests. Instead,the existence of an (already concluded) transitive SLA would be verifiedat this point on the part of the SSAI S1 and S2. A transitive SLA isthen set up 4 if an SLA does not exist (or has expired in the meantime).In other words, the SLA between the SSAI devices S1, S2 does not have tobe concluded at the time of the specific request 3 but can already havebeen set up before this.

It should be noted that the process described using the above exemplaryembodiment is given as an example and is not restrictive for theinvention. Rather, the invention can be used in more general instances,as long as the following conditions are satisfied:

-   -   the telecommunication networks involved (two or more) each have        an SSAI;    -   the necessary protocols (e.g. an OSA protocol) for setting up an        SLA exist between the networks involved or the associated SSAI        devices;    -   the external site (e.g. the external service provider) has an        SLA with one of the networks involved.

Subject to the above conditions the invention allows a transitive SLA tobe set up with the relevant target network, which is required to respondto the respective service request, from the network, with which theexternal site has agreed an SLA.

1. A method for accessing network-internal functions oftelecommunication networks, from an external site, with access takingplace via a secure service interface device of a network based on aservice level agreement valid for the service interface in favor of theexternal site, comprising: verifying, on the part of the interfacedevice, based on a request sent to it from the external site relating toa network-internal function, whether the request involves use of afunction of another network; and when the request uses a function ofanother network, exchanging a second request relating to the functionsof the network between the interface devices based on the a servicelevel agreement concluded between the interface device and a secureservice interface device of the target network.
 2. The method accordingto claim 1, wherein access takes place in the context of a service,which is executed by the external site for a user, the home network ofwhich is the target network.
 3. The method according to claim 1, whereinthe service level agreement is generated in a manner favorable to theexternal site, such that a roaming agreement exists between the networksset up as mobile radio networks and the service level agreement existson a part of the access network favorable to the external site.
 4. Themethod according to claim 1, wherein the external site is a server forexternal services, which are executed in an area of the access networkor a visited network accessible via the access network usingnetwork-internal services for users that are connected or logged in. 5.The method according to claim 1, wherein messages exchanged further tothe second request between the external site and the target network aretransmitted via the interface devices, with the interface device of theaccess network forwarding messages exchanged between the external siteand the interface device of the target network in a transparent manner.6. The method according to claim 1, wherein messages exchanged furtherto the second request between the external site and network centers ofthe target network are transmitted via the interface device of theaccess network, with the interface device forwarding the messages as atransparent proxy server.
 7. A network device of a telecommunicationnetwork, which is set up as a secure service interface device to verify,on the part of an interface device, based on a request sent thereto froman external site relating to a network-internal function, whether therequest involves use of a function of another network; and when therequest uses a function of another network, exchanging a second requestrelating to the functions of the network between the interface devicesbased on a service level agreement concluded between the interfacedevice and a secure service interface device of the target network.